Who can act as an auditing organisation under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), an "auditing organisation" is broadly defined (Article 2(17)) as an individual organisation, a consortium, or another combination of organisations — including any subcontractors — that the audited cloud computing service provider contracts to perform an independent audit. To perform CADA audits, it must be independent and free of conflicts of interest, have proven technical competence in auditing cloud computing services, and meet objectivity and professional-ethics standards (Article 20(4)). As proposed, providers cannot self-audit with in-house teams; the audit must be external, and strict rotation and conflict rules apply.

Detail

CADA's sovereignty framework relies on independent third-party audits for services seeking Union assurance levels 2, 3 or 4. Knowing who qualifies is essential for any provider aiming for recognition.

Definition and scope

Article 2(17) defines an "auditing organisation" as:

"an individual organisation, a consortium or other combination of organisations, including any subcontractors, that the audited cloud computing service provider has contracted to perform an independent audit."

The definition is deliberately broad to accommodate complex audit structures: a provider may engage a single firm, a consortium, or a lead auditor that subcontracts specific technical tasks. The primary contractual relationship for the independent audit is between the provider and the auditing organisation.

Independence and conflict of interest

Independence is the cornerstone. Article 20(4)(a) requires auditing organisations to be independent from, and free of conflicts of interest with, the provider and any legal person connected to it — in particular, the organisation must:

1. No recent or near-future non-audit services. Not have provided non-audit services related to the matters audited to the provider or connected persons in the 12 months before the audit begins, and commit not to provide such services in the 12 months after completion (Article 20(4)(a)(i)).
2. No recent audit services. Not have provided auditing services under this Article to the provider or connected persons in the 10 years before the audit begins (Article 20(4)(a)(ii)) — a long-horizon rotation rule.
3. No contingent fees. Not perform the audit for fees contingent on its result (Article 20(4)(a)(iii)).

These rules effectively bar in-house audit teams or internal compliance functions from acting as the "auditing organisation" for CADA recognition. The audit must be performed by an external entity with no stake in the provider's success.

Technical competence and professional ethics

Independence alone is not enough. Article 20(4)(b) requires proven expertise, technical competence and capabilities in auditing cloud computing services, and Article 20(4)(c) requires proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.

Because cloud sovereignty audits involve complex technical and legal assessments — data localisation, supply-chain transparency, absence of third-country control — deep technical knowledge is required. The Commission is empowered to adopt delegated acts under Article 20(9) (in accordance with Article 45) to lay down detailed rules on performing audits, including procedural steps, rules for auditing organisations and their technical competences, auditing methodologies and report templates. So the principles are in the proposal, with precise qualifications to be specified in secondary legislation.

Audit evidence, confidentiality and cooperation

The auditing organisation assesses compliance against the criteria in Annex II on the basis of the audit evidence listed in Annex III (Article 21). That evidence must be relevant and sufficient, and reliable according to the organisation's professional judgment and scepticism (Article 21(2)). The provider must cooperate and give access to all relevant data and premises, and must refrain from hampering or unduly influencing the audit (Article 20(2)). The auditing organisation must ensure an adequate level of confidentiality and professional secrecy over information obtained, including after the audit ends (Article 20(3)).

What this means for you

For providers and data centre operators, selecting an auditing organisation is a strategic compliance decision.

• No in-house audits. You cannot use internal quality-assurance or compliance teams to produce the audit report required for levels 2–4. You must contract an external entity.
• Vet for independence. Check the auditor's history with you: if they provided you non-audit services in the past 12 months, or audited you under this Article in the past 10 years, they are disqualified (Article 20(4)(a)).
• Confirm technical fit. Ensure demonstrable experience in cloud infrastructure and sovereignty criteria — the audit reaches into your SBOM, supply-chain controls and data flows. An auditor lacking cloud expertise risks a weak assessment or costly re-audits.
• Manage subcontracting. If your auditing organisation uses subcontractors, the whole chain must meet the independence and competence requirements; Article 2(17) expressly includes subcontractors within the definition.

Common misconceptions

• "Any ISO-certified auditor can audit us for CADA." Incorrect. CADA requires proven expertise specifically in auditing cloud computing services (Article 20(4)(b)); the criteria target cloud sovereignty, data localisation and third-country control beyond general certifications.
• "We can use our internal security team to perform the audit." Incorrect. The independence requirement and the 12-month non-audit-services bar (Article 20(4)(a)(i)) effectively exclude internal teams; the audit must be external and contracted.
• "We can use the same auditor every year." Incorrect. Article 20(4)(a)(ii) bars an organisation that has provided audit services under this Article to the provider in the prior 10 years — a long-term rotation rule. (Note the audit report is itself reviewed annually for continued compliance under Article 20(8).)

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What is an auditing organisation under CADA? Definition and role
• How does CADA's auditing organisation definition allow consortia and subcontractors?
• How does CADA's frontier AI definition compare to the AI Act's GPAI with systemic risk?
• How does CADA's AI system definition relate to the AI Act?
• How CADA definitions interact across the AI Act, NIS2 and the Cyber Resilience Act

This is general information about a draft EU regulation, not legal advice.